Ask a Question

APC Security Advisory - Static Factory Password Vulnerability

"

Problem Summary:

Who should read this? Customers with products that have APC's hardware-based network management cards installed that have not upgraded the firmware on their APC equipment in more than 3 years (as of May 2007). APC products that use these cards to attach to the network via a direct Ethernet or token ring connection, or via a console port server, may be affected (see ""How to Determine if Your Model Is Affected"" for more detail). APC's hardware-based network management cards could be compromised by non-privileged users via Telnet or the local serial port using a static factory password. This vulnerability was reported by a customer. APC is not aware of any malicious use of the vulnerability prior to this disclosure.

Impact:
The exploitation of this issue can result in unauthorized control of these devices.

Mitigating Factors:

APC Network Management Cards (models AP9617, AP9618, and AP9619) using AOS v2.0.0 (apc_hw02_aos_200.bin) and later are NOT vulnerable via the network port (Telnet or SSH).

Many firewalls typically block Telnet (well-known port 23) limiting the scope of the vulnerability to intranets.

Vulnerability via the local serial port requires physical access unless it is connected to a console port server or similar device.

A. Disable Telnet protocol until the latest firmware can be applied (see appendix A for instructions). If this is not possible then disconnect the product from the network until an upgrade can be applied.

B. If a console port server is connected to a vulnerable product's local serial port then ensure that the console port server forces user authentication prior to allowing login to the product. If this is not possible then disconnect the product from the console port server until a firmware upgrade can be applied.

How To Determine If Your Model Is Affected:

Examine the products listed below. If your UPS or other device has an AP9606, AP9617, AP9618, or AP9619 card installed then APC recommends you upgrade the card's firmware. Note that in some instances a firmware upgrade requires updating two files, the AOS card operating system and the application file for the device the card is installed in.

If you are not sure whether your UPS or device has one of these cards installed, examine the unit's faceplate for the following:

AP9606 Web/SNMP Management Card

AP9617 Network Management Card EX

AP9618 Network Management Card EM/MDM

AP9619 Network Management Card EM

Your device may still contain a network management card, please refer to your user manual for further information.

This advisory does not apply to any products based on Network Management Card-based AOS revision apc_hw02_aos_212a.bin and later.

Recommendations:
Find your product in the tables below and determine if you have an affected revision. If your product is affected then download and apply an updated firmware revision.

You may upgrade to a newer application revision that has been fixed or stay at the same application revision for those that are listed. Only devices with network support are affected.

Updated firmware can be downloaded directly from APC's web site at: <a href=""http://www.apcc.com/tools/download/?CFID=15668590&CFTOKEN=29075461

If for some reason an updated firmware cannot be applied then:

A. Disable Telnet protocol until a patch can be applied (see appendix A for instructions). If this is not possible then disconnect the product from the network until an upgrade can be applied.

B. If a console port server is connected to a vulnerable product's local serial port then ensure that the console port server forces user authentication prior to allowing login to the product. If this is not possible then disconnect the product from the console port server until a firmware upgrade can be applied.

NMC-enabled

Affected

Fixed In

Product Description

AOS Rev

APP Rev

AOS Rev

APP Rev

Smart-UPS

aos 105

sumx 105

aos 107b

sumx 105

115

115

118c

115

125

120

126b

120

125

125

126b

125

211

210

212a

210

Symmetra, Symmetra RM

aos 105

sy 105

aos 107b

sy 105

115

116

118c

116

120

120

126b

120

211

210

212a

210

Symmetra PX

aos 105

sy3p 105

aos 107b

sy3p 105

115

115

118c

115

211

210

212a

210

Silcon

aos 105

dp3e 105

aos 107b

dp3e 105

115

116

118c

116

Automatic Transfer Switch

aos 105

ats 106

aos 107b

ats 106

DC Systems Products (MX28B)

aos 106

mx28 110

aos 107b

mx28 110

Switched Rack PDU

aos 116

rpdu 102

aos 118c

rpdu 102

MasterSwitch Plus

aos 116

msp 100

aos 118c

msp 100

Note: The AOS and APP firmware revisions listed in this table are shorthand for the full filename found from the download page. The full filenames will be apc_hw02_AOS_REV.bin and apc_hw02_APP_REV.bin.

Zipped versions of both AOS and APP revsions are available for all combinations. The full filenames for the zipped versions will be apc_hw02_AOSREV_APPREV.exe.

If your firmware revision is not listed, please upgrade to the latest fixed revision.

AP9606-enabled

Affected

Fixed In

Product Description

AOS Rev

APP Rev

AOS Rev

APP Rev

Smart-UPS

all earlier revs

aos 326b

sumx 326a

Symmetra

all earlier revs

aos 326b

sy 326a

Silcon

all earlier revs

aos 326b

dp3e 326a

DC Systems Products (MX28B)

all earlier revs

aos 306b

dm3k 105a

Environmental Monitoring Unit

all earlier revs

aos 326b

em 205a

MasterSwitch (all)

all earlier revs

aos 309a

ms 225a

MasterSwitch Plus

all earlier revs

aos 258b

msp 205a

MasterSwitch VM

all earlier revs

aos 258b

msvm 115a

Note: The AOS and APP firmware revisions listed in this table are shorthand for the full filename found from the download page. The full filenames will be AOSREV.bin and APPREV.bin.

If your firmware revision is not listed, please upgrade to the latest fixed revision.

Firmware upgrades are not and will not be provided for these products:

SmartSlot SNMP Management Adapter (AP9605)

External SNMP Management Adapter(AP9205)

Token Ring Management Card (AP9603)

APC recommends that you disable any Telnet interface if present or remove the network connection from the card.

All other APC product families are unaffected.

Pictures of the Management Card Faceplates:

If you are not sure whether your UPS or device has one of these cards installed, examine the unit and look for the following faceplates and model numbers [Model number is circled]:

Exploitation and Public Announcements:
APC is not aware of any malicious use of the vulnerability described in this advisory. The vulnerability described in this advisory was originally found by Dave Tarbatt.

Status of this notice: INTERIM

THIS IS AN INTERIM ADVISORY. ALTHOUGH APC CANNOT GUARANTEE THE ACCURACY OF ALL STATEMENTS IN THIS NOTICE, ALL OF THE FACTS HAVE BEEN CHECKED TO THE BEST OF OUR ABILITY. APC DOES NOT ANTICIPATE ISSUING UPDATED VERSIONS OF THIS ADVISORY UNLESS THERE IS SOME MATERIAL CHANGE IN THE FACTS. SHOULD THERE BE A SIGNIFICANT CHANGE IN THE FACTS, APC MAY UPDATE THIS ADVISORY. A STAND-ALONE COPY OR PARAPHRASE OF THE TEXT OF THIS SECURITY ADVISORY THAT OMITS THE DISTRIBUTION URL IN THE FOLLOWING SECTION IS AN UNCONTROLLED COPY, AND MAY LACK IMPORTANT INFORMATION OR CONTAIN FACTUAL ERRORS.

IN NO EVENT SHALL EITHER APC, ITS OFFICERS, DIRECTORS, AFFILIATES OR EMPLOYEES, BE LIABLE FOR ANY SPECIAL, INDIRECT, INCIDENTAL, OR CONSEQUENTIAL DAMAGES OF ANY KIND INCLUDING, BUT NOT LIMITED TO, LOSS OF PROFITS ARISING OUT OF THE USE OR IMPLEMENTATION OF THE INFORMATION CONTAINED HEREIN HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN AN ACTION FOR CONTRACT, STRICT LIABILITY OR TORT (INCLUDING NEGLIGENCE) OR OTHERWISE, WHETHER OR NOT APC HAS BEEN ADVISED OR THE POSSIBILITY OF SUCH DAMAGE AND NOTWITHSTANDING THE FAILURE OF ESSENTIAL PURPOSE OF ANY REMEDY.

Distribution:
This advisory will be posted on APC's worldwide website at:
http://www.apc.com/go/direct/index.cfm?tag=sa2988

Future updates of this advisory, if any, will be place on APC's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates.

Copyright:
This notice is Copyright 2004 by APC. This notice may be redistributed freely after the release date given at the top of the text, provided that redistributed copies are complete and unmodified, and include all date and version information.

Appendix A - Instructions for disabling Telnet access:
These Screen shots show where to enable and disable Telnet:
To disable telnet from the HTML interface: